US warns of security flaw which can compromise Wi-Fi connections (Update)

October 16, 2017
Security researchers have discovered a flaw which can compromise the security of Wi-Fi connections, according to a US government
Security researchers have discovered a flaw which can compromise the security of Wi-Fi connections, according to a US government warning

A newly discovered flaw in the widely used Wi-Fi encryption protocol could leave millions of users vulnerable to attacks, prompting warnings Monday from the US government and security researchers worldwide.

The US government's Computer Emergency Response Team (CERT) issued a security bulletin saying the flaw can open the door to hackers seeking to eavesdrop on or hijack devices using wireless networks.

"Exploitation of these vulnerabilities could allow an attacker to take control of an affected system," said CERT, which is part of the US Department of Homeland Security.

The agency's warning came on the heels of research by computer scientists at the Belgian university KU Leuven, who dubbed the flaw KRACK, for Key Reinstallation Attack.

According to the news site Ars Technica, the discovery was a closely guarded secret for weeks to allow Wi-Fi systems to develop security patches.

Attackers can exploit the flaw in WPA2—the name for the encryption protocol—"to read information that was previously assumed to be safely encrypted," said a blog post by KU Leuven researcher Mathy Vanhoef.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks."

The researcher said the flaw may also allow an attacker "to inject ransomware or other malware into websites."

The KRACK vulnerability allows attackers to circumvent the "key" on a Wi-Fi connection that keeps data private.

The Belgian researchers said in a paper that devices on all operating systems may be vulnerable to KRACK, including 41 percent of Android devices.

'Be afraid'

The newly discovered flaw was serious because of the ubiquity of Wi-Fi and the difficulty in patching millions of wireless systems, according to researchers.

"Wow. Everyone needs to be afraid," said Rob Graham of Errata Security in a blog post.

"It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup."

Alex Hudson, of the British-based digital service firm Iron Group, said the discovery means that "security built into Wi-Fi is likely ineffective, and we should not assume it provides any security."

Hudson said Wi-Fi users who browse the internet should still be safe due to encryption on most websites but that the flaw could affect a number of internet-connected devices.

"Almost certainly there are other problems that will come up, especially privacy issues with cheaper Internet-enabled devices that have poor security," Hudson said in a blog post.

Researchers at Finland-based security firm F-Secure said in a statement the discovery highlights longstanding concerns about Wi-Fi systems' vulnerability.

"The worst part of it is that it's an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks," F-Secure said in a statement.

The F-Secure researchers said wireless network users can minimize the risks by using virtual private networks, and by updating devices including routers.

The Wi-Fi Alliance, an industry group which sets standards for wireless connections, said computer users should not panic.

"There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections," the group said in a statement.

"Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member."

Microsoft said it released a patch on October 10 to protect users of Windows devices.

"Customers who have Windows Update enabled and applied the security updates, are protected automatically," Microsoft said.

A Google spokesman said, "We're aware of the issue, and we will be patching any affected devices in the coming weeks."

Explore further: 'Bash' computer bug could hit millions (Update)

More information:

Related Stories

'Bash' computer bug could hit millions (Update)

September 25, 2014

The US government and technology experts warned Thursday of a vulnerability in some computer-operating systems, including Apple's Mac OS, which could allow widespread and serious attacks by hackers.

US warns on use of flawed Microsoft browser

April 28, 2014

A US government cybersecurity watchdog warned computer users Monday against using a version of the Microsoft Internet Explorer browser with a security hole that could allow hackers in.

Recommended for you

World's biggest battery in Australia to trump Musk's

March 16, 2018

British billionaire businessman Sanjeev Gupta will built the world's biggest battery in South Australia, officials said Friday, overtaking US star entrepreneur Elon Musk's project in the same state last year.

1 in 3 Michigan workers tested opened fake 'phishing' email

March 16, 2018

Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ...

Origami-inspired self-locking foldable robotic arm

March 15, 2018

A research team of Seoul National University led by Professor Kyu-Jin Cho has developed an origami-inspired robotic arm that is foldable, self-assembling and also highly-rigid. (The researchers include Suk-Jun Kim, Dae-Young ...


Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (2) Oct 16, 2017
If this has been quietly circulated to manufacturers, why don't I have software updates to my Mac & router available this morning??

The flaw discoverer's site,, indicates Linux (2.4+?) and Android 6 are particularly impacted because the exploit causes them to use an all zeros encryption key(!)
not rated yet Oct 16, 2017
Apple has been known to let security flaws sit unpatched for as much as two years, I'm not surprised that there isn't an update to your Mac. If you call their Genius Bar they'll probably tell you to upgrade to new hardware.
not rated yet Oct 16, 2017
The researchers disclosed this information privately to a number of manufacturers before presenting it publicly. The only operating system that was patched prior to the public release of this information is OpenBSD. What about the others indeed...

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.